The European Banking Authority (EBA) has published two documents, Opinion of the EBA on the Implementation of the RTS on SCA and CSC and Consultation Paper, in its ongoing PSD2 implementation process. Whilst there’s still lots of information to come, this communication does provide details on how strong customer authentication (SCA) and common and secure communication (CSC) needs to be implemented.
The Opinion Paper, addressed to Competent Authorities, discusses key areas identified by the market and the authorities after the publication of RTS in March. These include the exemptions to SCAs (contactless payments, for example), consent, the scope of data sharing and requirements for Open APIs. The EBA has also been clear that two factor authentication means two elements in two categories. EBA’s precisions about two-factor authentication also show that our Dynamic Code Verification cards and mobile are very relevant in the context of this regulation.
The EBA is very aware that more details are needed by the banks in order to successfully comply, and it intends to keep on its works for clarification.
The Consultation Paper, focusing on “the conditions to be met to benefit from an exemption from contingency measures” – for banks to open their systems to free access by TPPs, will help gather the views and expertise of the market’s players on this important topic.
At Gemalto, we’ve spent a lot of time with banking sector customers building in the mechanisms for SCA and CSC, and have published a helpful resource to guide our customers on the preparation required for PSD2 here.
We’ll publish updates as further clarity comes in the weeks and months ahead.